Links

Auth0 Logs

Panther supports receiving Auth0 logs directly via webhook

Overview

Panther ingests Auth0 tenant logs by configuring Auth0's log streaming service to post events to a Panther HTTP source.

How to onboard Auth0 logs to Panther

Step 1: Create a new Auth0 source in Panther

  1. 1.
    In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for “Auth0,” then click its tile.
    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
  4. 4.
    Click Start Setup.
    The Auth0 log source setup page is shown, in the Panther Console. In the upper-right corner, the Transport Mechanism dropdown has a value of "HTTP," and to its right is a Start Setup button. Both are circled.
  5. 5.
    Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
    • During setup, on the security configuration page, you will be required to use bearer authentication; this is the only method of authentication Auth0 supports. You can generate a token value by clicking the circular arrows, or supply your own.
      A section titled "Bearer Authentication" is shown. To the right of a "Bearer Token Value" field there is a button with two arrows arranged in a circle, and this button is circled.
    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.
    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a new Log Stream in Auth0

  1. 1.
    Log in to your Auth0 tenant.
  2. 2.
    From the dashboard, navigate to Monitoring > Streams.
  3. 3.
    Click Create Stream.
  4. 4.
    Select Custom Webhook.
  5. 5.
    Give your Event Stream a descriptive name, e.g., Panther Log Stream.
  6. 6.
    In the Payload URL field, paste the URL for the Auth0 HTTP source in Panther you generated in the previous step of this process.
  7. 7.
    In the Authorization Token field, enter the bearer token you used when setting up the Auth0 source in Panther, in the previous step of this process.
    • Enter this value in the form Bearer <token value>.
  8. 8.
    Click Save.

Panther-managed detections

Supported log types

Auth0.Events

Auth0.Events are event logs from the Auth0 log stream. For more information, see Auth0's documentation on tenant log events.
```yaml
schema: Auth0.Events
description: Event logs from Auth0 Log Stream
referenceURL: https://auth0.com/docs/deploy-monitor/logs
fields:
- name: log_id
required: true
description: The ID of the log.
type: string
- name: asdfg
type: array
validate:
allow: ['authentication']
element:
type: string
- name: data
required: true
description: The data object containing information about the log.
type: object
fields:
- name: date
description: Date/Time when the event occurred.
type: timestamp
isEventTime: true
timeFormats:
- rfc3339
- name: type
description: Type of event.
type: string
- name: description
description: Description of this event.
type: string
- name: connection
description: Name of the connection the event relates to.
type: string
- name: connection_id
description: ID of the connection the event relates to.
type: string
- name: client_id
description: ID of the client (application).
type: json
- name: client_name
description: Name of the client (application).
type: string
- name: ip
description: IP address of the log event source.
indicators:
- ip
type: string
- name: client_ip
type: string
description: IP address of the client which caused the event.
indicators:
- ip
- name: hostname
description: Hostname the event applies to.
type: string
- name: user_id
description: ID of the user involved in the event.
type: string
indicators:
- username
- name: user_name
description: Name of the user involved in the event.
type: json
indicators:
- username
- name: audience
description: API audience the event applies to.
type: string
- name: scope
description: Scope permissions applied to the event.
type: json
- name: strategy
description: Name of the strategy involved in the event.
type: string
- name: strategy_type
description: Type of strategy involved in the event.
type: string
- name: details
description: Additional useful details about this event (structure is dependent upon event type).
type: json
- name: log_id
description: Unique ID of the event.
type: string
- name: is_mobile
description: Whether the client was a mobile device (true) or desktop/laptop/server (false).
type: boolean
- name: user_agent
description: User agent string from the client device that caused the event.
type: string
- name: location_info
description: Information about the location that triggered this event based on the IP.
type: object
fields:
- name: country_code
description: Two-letter Alpha-2 ISO 3166-1 country code.
type: string
- name: country_code3
description: Three-letter Alpha-3 ISO 3166-1 country code.
type: string
- name: country_name
description: Full country name in English.
type: string
- name: city_name
description: Full city name in English.
type: string
- name: latitude
description: Global latitude position.
type: float
- name: longitude
description: Global longitude position.
type: float
- name: time_zone
description: Time zone name as found in the tz database.
type: string
- name: continent_code
description: Two-letter continent code.
type: string
```